Welcome to a new era in computer security: the era of discount terrorism. The traditional definition of terrorism is acts of violence intended to create fear, perpetrated for political, religious, or ideological reasons and without regard for the safety of non-combatants. The penetration of Sony's network may not have been violent, but it certainly meets the other criteria of the definition.
The perps who staged the attack are criminals, but what they did is an innovation in the terrorism industry. They have found a way to create the disruptive fear that is the goal of terrorism without the cost of bombs, machine guns, or box cutters. In doing so, they mounted the most catastrophic data breach in history. They have published troves of embarrassing messages and contracts and claim to be in possession of password files, asset inventories, network maps, financial documents, and work product. Furthermore, the perps seem to be so in control of this conflict that all they had to do was threaten the physical safety of movie-goers to the film, The Interview. Theater chains began canceling engagements for the movie. Sony has now withdrawn the film, which is a financial disaster for the beleaguered company.
In October, I made three recommendations for protecting your organization’s data:
1) Create a culture of security in your organization.
2) Provide general training in security so all your employees know the difference between legitimate and illegitimate activity.
3) Provide advanced training for the employees tasked with data security so they can take a proactive role in protecting your information assets.
And while I like to believe that training is the answer to most organizational problems, I have to admit that it may not have helped poor Sony very much. A spokesperson claiming to represent the GOP (“Guardians of Peace”) claimed they were helped by someone on the inside. There are no training programs to teach loyalty. The best you can do is hire carefully and manage with integrity to minimize employee alienation. And those steps may not even help. A report from the Associated Press says federal investigators believe there’s a connection between this breach and North Korea. This is pure speculation on my part, but if the Sony GOP collaborator was planted there by a foreign government, cyber security is going to become increasingly difficult in the future and may even require new national policies.
So where does that leave us? We’ll have to wait and see about national policies, and we will all have to continue to hire carefully and to create cultures of openness that hinder duplicity. But there is still a role for training. Your users still need to be savvy about protecting organizational data, and the employees charged with your data security still need to be on the cutting edge. You might even say now more than ever, because the orcs won’t give up, and they are ready to take advantage of any distraction. Get employees the training they need to recognize security risks and actively protect company assets. Consider giving employees the chance to gain cybersecurity certification with the Logical Operations Securing Cisco Networks with Threat Detection and Analysis (SCYBER) Training Curriculum. It may be a new era in terrorism, but you don’t have to take it lying down.